<html>
<head>
<meta http-equiv="content-type" content="text/html; charset=UTF-8">
</head>
<body text="#000000" bgcolor="#FFFFFF">
I've followed the wiki article here:<br>
<p><a
href="https://gitlab.com/apparmor/apparmor/wikis/FullSystemPolicy">https://gitlab.com/apparmor/apparmor/wikis/FullSystemPolicy</a></p>
However, I've got a number of questions I was hoping someone could
help clarify for me.<br>
First, let me walk through what I did after step 6 (reboot after
update-initramfs -u):<br>
From the console during boot:
<blockquote>Begin: Running /scripts/init-bottom ... Warning from
stdin (line 1): /sbin/apparmor_parser: cannot use or update cache,
disable, or forc[ 36.264702] audit: type=1400
audit(1558716282.248:2): apparmor="STATUS"
operation="profile_load" profile="unconfined" name="init-systemd"<br>
e-complain via
stdin
<br>
done.
<br>
[ 36.380094] audit: type=1400 audit(1558716282.360:3):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/etc/ld.so.cache" pid=1 comm="init" requested_mask="r"
denied_mask="r" fsuid=0
ouid=0
<br>
[ 36.383988] audit: type=1400 audit(1558716282.364:4):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/lib/x86_64-linux-gnu/libc-2.27.so" pid=1 comm="init"
requested_mask="r" denied_mask="r" fsuid=0
ouid=0 <br>
[ 36.389412] audit: type=1400 audit(1558716282.372:5):
apparmor="ALLOWED" operation="file_mmap" profile="init-systemd"
name="/lib/x86_64-linux-gnu/libc-2.27.so" pid=1 comm="init"
requested_mask="rm" denied_mask="rm" fsuid=0
ouid=0 <br>
[ 36.393851] audit: type=1400 audit(1558716282.376:6):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/lib/systemd/libsystemd-shared-237.so" pid=1 comm="init"
requested_mask="r" denied_mask="r" fsuid=0
ouid=0 <br>
[ 36.397457] audit: type=1400 audit(1558716282.380:7):
apparmor="ALLOWED" operation="file_mmap" profile="init-systemd"
name="/lib/systemd/libsystemd-shared-237.so" pid=1 comm="init"
requested_mask="rm" denied_mask="rm" fsuid=0
ouid=0 <br>
[ 36.401758] audit: type=1400 audit(1558716282.384:8):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/lib/x86_64-linux-gnu/librt-2.27.so" pid=1 comm="init"
requested_mask="r" denied_mask="r" fsuid=0
ouid=0 <br>
[ 36.409685] audit: type=1400 audit(1558716282.392:9):
apparmor="ALLOWED" operation="file_mmap" profile="init-systemd"
name="/lib/x86_64-linux-gnu/librt-2.27.so" pid=1 comm="init"
requested_mask="rm" denied_mask="rm" fsuid=0
ouid=0 <br>
[ 36.413464] audit: type=1400 audit(1558716282.396:10):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/lib/x86_64-linux-gnu/libseccomp.so.2.3.1" pid=1 comm="init"
requested_mask="r" denied_mask="r" fsuid=0
ouid=0 <br>
[ 36.416835] audit: type=1400 audit(1558716282.400:11):
apparmor="ALLOWED" operation="file_mmap" profile="init-systemd"
name="/lib/x86_64-linux-gnu/libseccomp.so.2.3.1" pid=1 comm="init"
requested_mask="rm" denied_mask="rm" fsuid=0
ouid=0 <br>
</blockquote>
<br>
<p>Now, since the init-systemd profile doesn't contain any rules,
this is expected (and wanted). However, I tried a number of
things to get rid of them and only one of them worked.</p>
<p>First, to make sure I understand what those log entries are
saying:</p>
<p>the "init" program is attempted to read and/or memory map certain
files, however due to the init-systemd profile, if it wasn't set
to complain, these actions would have been blocked.<br>
</p>
<p>My first thought was to create a new init profile .. something
like:</p>
<blockquote>
<p>profile init /init flags=(complain) {</p>
<p> # init in initramfs is at the root, not /sbin/<br>
</p>
<p> /etc/ld.so.cache r,</p>
<p> /lib/** rm,</p>
<p>}<br>
</p>
</blockquote>
<p>however after adding a new apparmor_parser command to the
apparmor script to load this in init-bottom, nothing changed after
reboot.<br>
</p>
<p>So then I thought I needed to create a sub profile within the
init-systemd profile for init, however, I probably didn't do this
correctly, or it just won't work:<br>
</p>
<blockquote>
<p>/init Cx -> init</p>
<p><br>
</p>
<p>profile init flags=(complain) {</p>
<p> /etc/ld.so.cache r,</p>
<p> /lib/** rm,<br>
</p>
<p>}</p>
</blockquote>
Again, those same log entries returned.<br>
<br>
What worked was to modify the init-systemd profile directly:<br>
<blockquote>profile init-systemd /lib/systemd/systemd
flags=(complain) {<br>
<br>
/etc/ld.so.cache r,<br>
/lib/** rm,<br>
<br>
}<br>
</blockquote>
<p>However, this isn't ideal because, I think, it means all things
that systemd runs inherits these permissions, not just init.<br>
</p>
<p>I noticed something else too -- after that worked, I got a new
list of additional audit messages:</p>
<blockquote>
<p>[ 38.840399] audit: type=1400 audit(1558733899.848:5):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/usr/lib/x86_64-linux-gnu/libip4tc.so.0.1.0" pid=1
comm="init" requested_mask="r" denied_mask="r" fsuid=0
ouid=0 <br>
[ 38.843656] audit: type=1400 audit(1558733899.848:6):
apparmor="ALLOWED" operation="file_mmap" profile="init-systemd"
name="/usr/lib/x86_64-linux-gnu/libip4tc.so.0.1.0" pid=1
comm="init" requested_mask="rm" denied_mask="rm" fsuid=0
ouid=0 <br>
[ 38.852170] audit: type=1400 audit(1558733899.860:7):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1" pid=1
comm="init" requested_mask="r" denied_mask="r" fsuid=0
ouid=0 <br>
[ 38.855990] audit: type=1400 audit(1558733899.860:8):
apparmor="ALLOWED" operation="file_mmap" profile="init-systemd"
name="/usr/lib/x86_64-linux-gnu/liblz4.so.1.7.1" pid=1
comm="init" requested_mask="rm" denied_mask="rm" fsuid=0
ouid=0 <br>
[ 38.871219] audit: type=1400 audit(1558733899.876:9):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/usr/lib/x86_64-linux-gnu/libargon2.so.0" pid=1
comm="init" requested_mask="r" denied_mask="r" fsuid=0
ouid=0 <br>
[ 38.888320] audit: type=1400 audit(1558733899.896:10):
apparmor="ALLOWED" operation="file_mmap" profile="init-systemd"
name="/usr/lib/x86_64-linux-gnu/libargon2.so.0" pid=1
comm="init" requested_mask="rm" denied_mask="rm" fsuid=0
ouid=0 <br>
[ 38.938441] audit: type=1400 audit(1558733899.944:11):
apparmor="ALLOWED" operation="open" profile="init-systemd"
name="/proc/filesystems" pid=1 comm="init" requested_mask="r"
denied_mask="r" fsuid=0 ouid=0 </p>
</blockquote>
<p>It's like I'm only getting a few of these at a time -- I added
this to the kernel boot parameter: 'audit_backlog_limit=65536' but
that didn't seem to affect the number of these that I was shown.
I assume some type of throttling might be occurring but there was
no notice of this happening on the console.<br>
</p>
<p>So, now my questions:</p>
<p>1) Can I separate out the different "comm" matches into different
profile files or do I need to maintain one monolithic file?</p>
<p>2) If I want to worry about restricting binaries later, but only
want to "whitelist" at this point in time, is there a generic
profile that I can create that will grant all permissions?</p>
<p>3) Why did this "Warning from stdin (line 1):
/sbin/apparmor_parser: cannot use or update cache, disable, or
for" disappear when I started to use profile files instead of echo
for apparmor_parser?</p>
<p>4) Will I be able to retain the apparmor profile files that come
with Ubuntu? I assume I'll need to duplicate most of the stuff
I've done in initramfs into /etc/apparmor.d somewhere?</p>
<p>5) How does apparmor handle multiple profiles that match on the
same file? Is the reason why my separate init profile file
ignored because the init-systemd one already matched on it?</p>
<p>Appreciate any feedback.<br>
</p>
</body>
</html>